Hybrid code modification in intermediate language for software application

ABSTRACT

Computer program, methods, and systems for code modification of a programming language platform and a software application in an intermediate language at different times are disclosed. The methods and system may modify a portion of the programming language platform in the intermediate language at a first time to alter a functionality of or add a new functionality to the programming language platform; and may modify the software application in the intermediate language at a second time different from the first time, where the software application may be modified based on a runtime analysis rule that uses the altered or added new functionality of the programming language platform. The modified programming language platform may be included in a first package, and the modified software application may be included in a second package, and executed on the modified programming language platform.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the United States Patent andTrademark Office patent file or records, but otherwise reserves allcopyright rights whatsoever.

TECHNICAL FIELD

The technology relates to code modification in intermediate language forsoftware application and its application to detecting software securityvulnerabilities.

BACKGROUND

A metaprogram is a computer program that can read, generate, analyze, ortransform other programs, and/or modify itself while running.

Software applications may include vulnerabilities or flaws that allowhackers to access data and/or perform actions without authorization. Forexample, the unauthorized hacker may try to access a database or file onbehalf of an authorized user.

Current software analysis programs check for security flaws by trying totest every path through the software application source code. However,the analysis programs only provide snapshot views of the softwareapplication and do not test behaviors or states that may occur duringactual execution runtime. Security analysis programs may not have accessto all application source code and therefore may not be able to testinternal code paths for security flaws.

BRIEF DESCRIPTION OF THE DRAWINGS

The included drawings are for illustrative purposes and serve to provideexamples of possible structures and operations for the disclosedinventive systems, apparatus, methods and computer-readable storagemedia. These drawings in no way limit any changes in form and detailthat may be made by one skilled in the art without departing from thespirit and scope of the disclosed implementations.

FIG. 1A shows a block diagram of an example environment in which anon-demand database service can be used according to someimplementations.

FIG. 1B shows a block diagram of example implementations of elements ofFIG. 1A and example interconnections between these elements according tosome implementations.

FIG. 2 shows an example runtime analysis framework (RTA) used in adatabase system.

FIG. 3 shows an example process performed by the runtime analysisframework.

FIG. 4 shows an alternative example of the runtime analysis framework.

FIG. 5 shows rules used by the runtime analysis framework.

FIG. 6 shows in more detail how the runtime analysis framework maydetect a security vulnerability.

FIGS. 7A-7B show an example system including a software application anda runtime analysis framework (RTA) running on a programming languageplatform.

FIGS. 8A-8C show an example system, and a plurality of hybrid codemodification schemes.

DETAILED DESCRIPTION

Examples of systems, apparatus, computer-readable storage media, andmethods according to the disclosed implementations are described in thissection. These examples are being provided solely to add context and aidin the understanding of the disclosed implementations. It will thus beapparent to one skilled in the art that the disclosed implementationsmay be practiced without some or all of the specific details provided.In other instances, certain process or method operations, also referredto herein as “blocks,” have not been described in detail in order toavoid unnecessarily obscuring the disclosed implementations. Otherimplementations and applications also are possible, and as such, thefollowing examples should not be taken as definitive or limiting eitherin scope or setting.

In the following detailed description, references are made to theaccompanying drawings, which form a part of the description and in whichare shown, by way of illustration, specific implementations. Althoughthese disclosed implementations are described in sufficient detail toenable one skilled in the art to practice the implementations, it is tobe understood that these examples are not limiting, such that otherimplementations may be used and changes may be made to the disclosedimplementations without departing from their spirit and scope. Forexample, the blocks of the methods shown and described herein are notnecessarily performed in the order indicated in some otherimplementations. Additionally, in some other implementations, thedisclosed methods may include more or fewer blocks than are described.As another example, some blocks described herein as separate blocks maybe combined in some other implementations. Conversely, what may bedescribed herein as a single block may be implemented in multiple blocksin some other implementations. Additionally, the conjunction “or” isintended herein in the inclusive sense where appropriate unlessotherwise indicated; that is, the phrase “A. B or C” is intended toinclude the possibilities of “A,” “B,” “C,” “A and B,” “B and C,” “A andC” and “A, B and C.”

Some implementations described and referenced herein are directed tosystems, apparatus, computer-implemented methods and computer-readablestorage media for identifying articles helpful in resolving userqueries.

In some implementations, the users described herein are users (or“members”) of an interactive online “enterprise social network,” alsoreferred to herein as an “enterprise social networking system.” an“enterprise collaborative network,” or more simply as an “enterprisenetwork.” Such online enterprise networks are increasingly becoming acommon way to facilitate communication among people, any of whom can berecognized as enterprise users. One example of an online enterprisesocial network is Chatter®, provided by salesforce.com, inc. of SanFrancisco, Calif. salesforce.com, inc. is a provider of enterprisesocial networking services, customer relationship management (CRM)services and other database management services, any of which can beaccessed and used in conjunction with the techniques disclosed herein insome implementations. These various services can be provided in a cloudcomputing environment as described herein, for example, in the contextof a multi-tenant database system. Some of the described techniques orprocesses can be implemented without having to install software locally,that is, on computing devices of users interacting with servicesavailable through the cloud. While the disclosed implementations may bedescribed with reference to Chatter®, and more generally to enterprisesocial networking, those of ordinary skill in the art should understandthat the disclosed techniques are neither limited to Chatter® nor to anyother services and systems provided by salesforce.com, inc. and can beimplemented in the context of various other database systems such ascloud-based systems that are not part of a multi-tenant database systemor which do not provide enterprise social networking services.

I. Example System Overview

FIG. 1A shows a block diagram of an example of an environment 10 inwhich an on-demand database service can be used in accordance with someimplementations. The environment 10 includes user systems 12, a network14, a database system 16 (also referred to herein as a “cloud-basedsystem”), a processor system 17, an application platform 18, a networkinterface 20, tenant database 22 for storing tenant data 23, systemdatabase 24 for storing system data 25, program code 26 for implementingvarious functions of the system 16, and process space 28 for executingdatabase system processes and tenant-specific processes, such as runningapplications as part of an application hosting service. In some otherimplementations, environment 10 may not have all of these components orsystems, or may have other components or systems instead of, or inaddition to, those listed above.

In some implementations, the environment 10 is an environment in whichan on-demand database service exists. An on-demand database service,such as that which can be implemented using the system 16, is a servicethat is made available to users outside of the enterprise(s) that own,maintain or provide access to the system 16. As described above, suchusers generally do not need to be concerned with building or maintainingthe system 16. Instead, resources provided by the system 16 may beavailable for such users' use when the users need services provided bythe system 16; that is, on the demand of the users. Some on-demanddatabase services can store information from one or more tenants intotables of a common database image to form a multi-tenant database system(MTS). The term “multi-tenant database system” can refer to thosesystems in which various elements of hardware and software of a databasesystem may be shared by one or more customers or tenants. For example, agiven application server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows of datasuch as feed items for a potentially much greater number of customers. Adatabase image can include one or more database objects. A relationaldatabase management system (RDBMS) or the equivalent can execute storageand retrieval of information against the database object(s).

Application platform 18 can be a framework that allows the applicationsof system 16 to execute, such as the hardware or software infrastructureof the system 16. In some implementations, the application platform 18enables the creation, management and execution of one or moreapplications developed by the provider of the on-demand databaseservice, users accessing the on-demand database service via user systems12, or third party application developers accessing the on-demanddatabase service via user systems 12.

In some implementations, the system 16 implements a web-based customerrelationship management (CRM) system. For example, in some suchimplementations, the system 16 includes application servers configuredto implement and execute CRM software applications as well as providerelated data, code, forms, renderable web pages and documents and otherinformation to and from user systems 12 and to store to, and retrievefrom, a database system related data, objects, and Web page content. Insome MTS implementations, data for multiple tenants may be stored in thesame physical database object in tenant database 22. In some suchimplementations, tenant data is arranged in the storage medium(s) oftenant database 22 so that data of one tenant is kept logically separatefrom that of other tenants so that one tenant does not have access toanother tenant's data, unless such data is expressly shared. The system16 also implements applications other than, or in addition to, a CRMapplication. For example, the system 16 can provide tenant access tomultiple hosted (standard and custom) applications, including a CRMapplication. User (or third party developer) applications, which may ormay not include CRM, may be supported by the application platform 18.The application platform 18 manages the creation and storage of theapplications into one or more database objects and the execution of theapplications in one or more virtual machines in the process space of thesystem 16.

According to some implementations, each system 16 is configured toprovide web pages, forms, applications, data and media content to user(client) systems 12 to support the access by user systems 12 as tenantsof system 16. As such, system 16 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another (forexample, in a server farm located in a single building or campus), orthey may be distributed at locations remote from one another (forexample, one or more servers located in city A and one or more serverslocated in city B). As used herein, each MTS could include one or morelogically or physically connected servers distributed locally or acrossone or more geographic locations. Additionally, the term “server” ismeant to refer to a computing device or system, including processinghardware and process space(s), an associated storage medium such as amemory device or database, and, in some instances, a databaseapplication (for example, OODBMS or RDBMS) as is well known in the art.It should also be understood that “server system” and “server” are oftenused interchangeably herein. Similarly, the database objects describedherein can be implemented as part of a single database, a distributeddatabase, a collection of distributed databases, a database withredundant online or offline backups or other redundancies, etc., and caninclude a distributed database or storage network and associatedprocessing intelligence.

The network 14 can be or include any network or combination of networksof systems or devices that communicate with one another. For example,the network 14 can be or include any one or any combination of a LAN(local area network), WAN (wide area network), telephone network,wireless network, cellular network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. The network 14 can include a TCP/IP (Transfer ControlProtocol and Internet Protocol) network, such as the global internetworkof networks often referred to as the “Internet” (with a capital “I”).The Internet will be used in many of the examples herein. However, itshould be understood that the networks that the disclosedimplementations can use are not so limited, although TCP/IP is afrequently implemented protocol.

The user systems 12 can communicate with system 16 using TCP/IP and, ata higher network level, other common Internet protocols to communicate,such as HTTP, FTP, AFS, WAP, etc. In an example where HTTP is used, eachuser system 12 can include an HTTP client commonly referred to as a “webbrowser” or simply a “browser” for sending and receiving HTTP signals toand from an HTTP server of the system 16. Such an HTTP server can beimplemented as the sole network interface 20 between the system 16 andthe network 14, but other techniques can be used in addition to orinstead of these techniques. In some implementations, the networkinterface 20 between the system 16 and the network 14 includes loadsharing functionality, such as round-robin HTTP request distributors tobalance loads and distribute incoming HTTP requests evenly over a numberof servers. In MTS implementations, each of the servers can have accessto the MTS data; however, other alternative configurations may be usedinstead.

The user systems 12 can be implemented as any computing device(s) orother data processing apparatus or systems usable by users to access thedatabase system 16. For example, any of user systems 12 can be a desktopcomputer, a work station, a laptop computer, a tablet computer, ahandheld computing device, a mobile cellular phone (for example, a“smartphone”), or any other Wi-Fi-enabled device, wireless accessprotocol (WAP)-enabled device, or other computing device capable ofinterfacing directly or indirectly to the Internet or other network. Theterms “user system” and “computing device” are used interchangeablyherein with one another and with the term “computer.” As describedabove, each user system 12 typically executes an HTTP client, forexample, a web browsing (or simply “browsing”) program, such as a webbrowser based on the WebKit platform, MICROSOFT's INTERNET EXPLORERbrowser, APPLE's SAFARI, GOOGLE's CHROME, OPERA's browser, or MOZILLA'sFIREFOX browser, or the like, allowing a user (for example, a subscriberof on-demand services provided by the system 16) of the user system 12to access, process and view information, pages and applicationsavailable to it from the system 16 over the network 14.

Each user system 12 also typically includes one or more user inputdevices, such as a keyboard, a mouse, a trackball, a touch pad, a touchscreen, a pen or stylus or the like, for interacting with a graphicaluser interface (GUI) provided by the browser on a display (for example,a monitor screen, liquid crystal display (LCD), light-emitting diode(LED) display, among other possibilities) of the user system 12 inconjunction with pages, forms, applications and other informationprovided by the system 16 or other systems or servers. For example, theuser interface device can be used to access data and applications hostedby system 16, and to perform searches on stored data, and otherwiseallow a user to interact with various GUI pages that may be presented toa user. As discussed above, implementations are suitable for use withthe Internet, although other networks can be used instead of or inaddition to the Internet, such as an intranet, an extranet, a virtualprivate network (VPN), a non-TCP/IP based network, any LAN or WAN or thelike.

The users of user systems 12 may differ in their respective capacities,and the capacity of a particular user system 12 can be entirelydetermined by permissions (permission levels) for the current user ofsuch user system. For example, where a salesperson is using a particularuser system 12 to interact with the system 16, that user system can havethe capacities allotted to the salesperson. However, while anadministrator is using that user system 12 to interact with the system16, that user system can have the capacities allotted to thatadministrator. Where a hierarchical role model is used, users at onepermission level can have access to applications, data, and databaseinformation accessible by a lower permission level user, but may nothave access to certain applications, database information, and dataaccessible by a user at a higher permission level. Thus, different usersgenerally will have different capabilities with regard to accessing andmodifying application and database information, depending on the users'respective security or permission levels (also referred to as“authorizations”).

According to some implementations, each user system 12 and some or allof its components are operator-configurable using applications, such asa browser, including computer code executed using a central processingunit (CPU) such as an Intel Pentium® processor or the like. Similarly,the system 16 (and additional instances of an MTS, where more than oneis present) and all of its components can be operator-configurable usingapplication(s) including computer code to run using the processor system17, which may be implemented to include a CPU, which may include anIntel Pentium® processor or the like, or multiple CPUs.

The system 16 includes tangible computer-readable media havingnon-transitory instructions stored thereon/in that are executable by orused to program a server or other computing system (or collection ofsuch servers or computing systems) to perform some of the implementationof processes described herein. For example, computer program code 26 canimplement instructions for operating and configuring the system 16 tointercommunicate and to process web pages, applications and other dataand media content as described herein. In some implementations, thecomputer code 26 can be downloadable and stored on a hard disk, but theentire program code, or portions thereof, also can be stored in anyother volatile or non-volatile memory medium or device as is well known,such as a ROM or RAM, or provided on any media capable of storingprogram code, such as any type of rotating media including floppy disks,optical discs, digital versatile disks (DVD), compact disks (CD),microdrives, and magneto-optical disks, and magnetic or optical cards,nanosystems (including molecular memory ICs), or any other type ofcomputer-readable medium or device suitable for storing instructions ordata. Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source over a transmissionmedium, for example, over the Internet, or from another server, as iswell known, or transmitted over any other existing network connection asis well known (for example, extranet, VPN, LAN, etc.) using anycommunication medium and protocols (for example, TCP/IP, HTTP, HTTPS,Ethernet, etc.) as are well known. It will also be appreciated thatcomputer code for the disclosed implementations can be realized in anyprogramming language that can be executed on a server or other computingsystem such as, for example, C, C++, HTML, any other markup language,Java™, JAVASCRIPT, ACTIVEX JavaScript, any other scripting language,such as VBScript, and many other programming languages as are well knownmay be used. (Java™ is a trademark of Sun Microsystems, Inc.).

FIG. 1B shows a block diagram of example implementations of elements ofFIG. 1A and example interconnections between these elements according tosome implementations. That is, FIG. 1B also illustrates environment 10,but FIG. 1B, various elements of the system 16 and variousinterconnections between such elements are shown with more specificityaccording to some more specific implementations. Additionally, in FIG.1B, the user system 12 includes a processor system 12A, a memory system12B, an input system 12C, and an output system 12D. The processor system12A can include any suitable combination of one or more processors. Thememory system 12B can include any suitable combination of one or morememory devices. The input system 12C can include any suitablecombination of input devices, such as one or more touchscreeninterfaces, keyboards, mice, trackballs, scanners, cameras, orinterfaces to networks. The output system 12D can include any suitablecombination of output devices, such as one or more display devices,printers, or interfaces to networks.

In FIG. 1B, the network interface 20 is implemented as a set of HTTPapplication servers 100 ₁-100 _(N). Each application server 100, alsoreferred to herein as an “app server”, is configured to communicate withtenant database 22 and the tenant data 23 therein, as well as systemdatabase 24 and the system data 25 therein, to serve requests receivedfrom the user systems 12. The tenant data 23 can be divided intoindividual tenant storage spaces 112, which can be physically orlogically arranged or divided. Within each tenant storage space 112,user storage 114 and application metadata 116 can similarly be allocatedfor each user. For example, a copy of a user's most recently used (MRU)items can be stored to user storage 114. Similarly, a copy of MRU itemsfor an entire organization that is a tenant can be stored to tenantstorage space 112.

The process space 28 includes system process space 102, individualtenant process spaces 104 and a tenant management process space 110. Theapplication platform 18 includes an application setup mechanism 38 thatsupports application developers' creation and management ofapplications. Such applications and others can be saved as metadata intotenant database 22 by save routines 36 for execution by subscribers asone or more tenant process spaces 104 managed by tenant managementprocess 110, for example. Invocations to such applications can be codedusing PL/SOQL 34, which provides a programming language style interfaceextension to API 32. A detailed description of some PL/SOQL languageimplementations is discussed in commonly assigned U.S. Pat. No.7,730,478, titled METHOD AND SYSTEM FOR ALLOWING ACCESS TO DEVELOPEDAPPLICATIONS VIA A MULTI-TENANT ON-DEMAND DATABASE SERVICE, by CraigWeissman, issued on Jun. 1, 2010, and hereby incorporated by referencein its entirety and for all purposes. Invocations to applications can bedetected by one or more system processes, which manage retrievingapplication metadata 116 for the subscriber making the invocation andexecuting the metadata as an application in a virtual machine.

The system 16 of FIG. 1B also includes a user interface (UI) 30 and anapplication programming interface (API) 32 to system 16 residentprocesses to users or developers at user systems 12. In some otherimplementations, the environment 10 may not have the same elements asthose listed above or may have other elements instead of, or in additionto, those listed above.

Each application server 100 can be communicably coupled with tenantdatabase 22 and system database 24, for example, having access to tenantdata 23 and system data 25, respectively, via a different networkconnection. For example, one application server 100 ₁ can be coupled viathe network 14 (for example, the Internet), another application server100 _(N-1) can be coupled via a direct network link, and anotherapplication server 100 _(N) can be coupled by yet a different networkconnection. Transfer Control Protocol and Internet Protocol (TCP/IP) areexamples of typical protocols that can be used for communicating betweenapplication servers 100 and the system 16. However, it will be apparentto one skilled in the art that other transport protocols can be used tooptimize the system 16 depending on the network interconnections used.

In some implementations, each application server 100 is configured tohandle requests for any user associated with any organization that is atenant of the system 16. Because it can be desirable to be able to addand remove application servers 100 from the server pool at any time andfor various reasons, in some implementations there is no server affinityfor a user or organization to a specific application server 100. In somesuch implementations, an interface system implementing a load balancingfunction (for example, an F5 Big-IP load balancer) is communicablycoupled between the application servers 100 and the user systems 12 todistribute requests to the application servers 100. In oneimplementation, the load balancer uses a least-connections algorithm toroute user requests to the application servers 100. Other examples ofload balancing algorithms, such as round robin andobserved-response-time, also can be used. For example, in someinstances, three consecutive requests from the same user could hit threedifferent application servers 100, and three requests from differentusers could hit the same application server 100. In this manner, by wayof example, system 16 can be a multi-tenant system in which system 16handles storage of, and access to, different objects, data andapplications across disparate users and organizations.

In one example storage use case, one tenant can be a company thatemploys a sales force where each salesperson uses system 16 to manageaspects of their sales. A user can maintain contact data, leads data,customer follow-up data, performance data, goals and progress data,etc., all applicable to that user's personal sales process (for example,in tenant database 22). In an example of a MTS arrangement, because allof the data and the applications to access, view, modify, report,transmit, calculate, etc., can be maintained and accessed by a usersystem 12 having little more than network access, the user can managehis or her sales efforts and cycles from any of many different usersystems. For example, when a salesperson is visiting a customer and thecustomer has Internet access in their lobby, the salesperson can obtaincritical updates regarding that customer while waiting for the customerto arrive in the lobby.

While each user's data can be stored separately from other users' dataregardless of the employers of each user, some data can beorganization-wide data shared or accessible by several users or all ofthe users for a given organization that is a tenant. Thus, there can besome data structures managed by system 16 that are allocated at thetenant level while other data structures can be managed at the userlevel. Because an MTS can support multiple tenants including possiblecompetitors, the MTS can have security protocols that keep data,applications, and application use separate. Also, because many tenantsmay opt for access to an MTS rather than maintain their own system,redundancy, up-time, and backup are additional functions that can beimplemented in the MTS. In addition to user-specific data andtenant-specific data, the system 16 also can maintain system level datausable by multiple tenants or other data. Such system level data caninclude industry reports, news, postings, and the like that are sharableamong tenants.

In some implementations, the user systems 12 (which also can be clientsystems) communicate with the application servers 100 to request andupdate system-level and tenant-level data from the system 16. Suchrequests and updates can involve sending one or more queries to tenantdatabase 22 or system database 24. The system 16 (for example, anapplication server 100 in the system 16) can automatically generate oneor more SQL statements (for example, one or more SQL queries) designedto access the desired information. System database 24 can generate queryplans to access the requested data from the database. The term “queryplan” generally refers to one or more operations used to accessinformation in a database system.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefined orcustomizable categories. A “table” is one representation of a dataobject, and may be used herein to simplify the conceptual description ofobjects and custom objects according to some implementations. It shouldbe understood that “table” and “object” may be used interchangeablyherein. Each table generally contains one or more data categorieslogically arranged as columns or fields in a viewable schema. Each rowor element of a table can contain an instance of data for each categorydefined by the fields. For example, a CRM database can include a tablethat describes a customer with fields for basic contact information suchas name, address, phone number, fax number, etc. Another table candescribe a purchase order, including fields for information such ascustomer, product, sale price, date, etc. In some MTS implementations,standard entity tables can be provided for use by all tenants. For CRMdatabase applications, such standard entities can include tables forcase, account, contact, lead, and opportunity data objects, eachcontaining pre-defined fields. As used herein, the term “entity” alsomay be used interchangeably with “object” and “table.”

In some MTS implementations, tenants are allowed to create and storecustom objects, or may be allowed to customize standard entities orobjects, for example by creating custom fields for standard objects,including custom index fields. Commonly assigned U.S. Pat. No.7,779,039, titled CUSTOM ENTITIES AND FIELDS IN A MULTI-TENANT DATABASESYSTEM, by Weissman et al., issued on Aug. 17, 2010, and herebyincorporated by reference in its entirety and for all purposes, teachessystems and methods for creating custom objects as well as customizingstandard objects in a multi-tenant database system. In someimplementations, for example, all custom entity data rows are stored ina single multi-tenant physical table, which may contain multiple logicaltables per organization. It is transparent to customers that theirmultiple “tables” are in fact stored in one large table or that theirdata may be stored in the same table as the data of other customers.

II. Runtime Analysis of Software Security Vulnerabilities

A runtime analysis framework (RTA) may embed rules inside a softwareapplication to detect security vulnerabilities. Instead of trying tomanually test every logical flaw through the software application, theRTA framework may identify potentially malicious requests. The RTAframework then determines if security checks are performed prior tooutputting responses to the requests. If no security check is performed,the RTA framework identifies the operation as a security vulnerability.

During runtime of the software application, the runtime analysisframework may assign input tags to objects associated with the userrequests. The input tags may identify the requests as potentiallymalicious and carrying a security risk. The RTA framework then mayassign sanitization tags to the objects identifying security checksperformed on the objects during runtime.

The RTA framework identifies output responses to the user requests thatinclude the objects and compares the input tags assigned to the objectswith any sanitization tags assigned to the objects. The RTA frameworkmay identify the software application as susceptible to a securityvulnerability when the input tags for the objects do not includecorresponding sanitization tags.

The RTA framework uses the tagging scheme to verify security checks areperformed on runtime user flows susceptible to a security vulnerability.By tagging potentially malicious user requests, the RTA framework maynot need to exercise or have access to every source code flow within thesoftware application. The RTA framework may use bytecode to implementrules for the tagging scheme without having to access softwareapplication source code.

FIG. 2 shows an example runtime analysis framework (RTA) 218 operatingin a software application 210. In one example, software application 210may operate within a database system 16, receive user requests 230 fromuser system 12 and provide corresponding responses 232 back to usersystem 12. This is just one example and software application 210 and RTA218 may operate within any hardware or software environment thatperforms any operation. For example, software application 210 mayoperate within any cloud based or private database system 16 or mayoperate within a localized software environment within a laptopcomputer, tablet, smart phone, personal computer (PC), or the like, orany combination thereof.

A user may access database system 16 via user system 12 as describedabove. For example, the user may be a salesman that stores informationabout different customers in a customer relationship management (CRM)database system 16. Input methods 220 within software application 210may create one or more objects 214 from request 230. For example, usersystem 12 may request information regarding a particular customer nameand a Java input method 220 may convert request 230 into one or moreobjects 214. For explanation purposes, only one object 214 is referredto below. However, it should be understood that software application 210may create any number of objects 214 based on request 230.

Object 214 may identify the user making request 230 and identify therequested customer name. Any data, message, string, tag, flag,information, method, function, or the like, or any combination thereofcreated and processed by software application 210 may be referred togenerally as an object.

Software application 210 may preform multiple different operations onobject 214 pursuant to request 230. For example, software application210 may access different files in a file system 242, access data in adatabase 240, and/or access data in memory for information associatedwith request 230.

Software application 210 also may perform different security checksbased on request 230. For example, a security method 221 may perform anaccess check to determine if the user is authorized to view therequested information. Another security method 221 may scrub request 230for malware, such as JavaScript.

Software application 210 may eventually call an output method 212 thatgenerates a response 232 to request 230. For example, output method 212may send a hypertext transfer protocol (HTTP) response to user system 12for displaying on a web page. Response 232 may include data from object214, data from database 240, and/or files from file system 242 requestedin object 214. Other output methods 212 may store data from object 214in database 240 or file system 242.

RTA 218 may identify ingress points where software application 210 anddatabase system 16 are vulnerable to security attacks. For example,request 230 from user system 12 may contain viruses or malware. RTA 218may assign an one or more input tags 216 to object 214 identifyingobject 214 as potentially malicious and a security risk. For explanationpurposes, only one input tag 216 is described below assigned to object214.

RTA 218 also may assign one or more sanitization tags 218 identifyingsecurity checks performed on object 214. For example, RTA 218 may assigna first sanitization tag 218 to object 214 when a security method 221checks database access rights for the user sending request 230. RTA 218may assign other sanitization tags 218 for other security operationsperformed on object 214, such as a security method that scrubs object214 for malware.

RTA 218 also may identify egress points where software application 210generates a response 232 or output for request 230. For example, RTA 218may identify output method 212 as an egress point where response 232 issent back to user system 12. RTA 218 may identify the path from inputmethod 220 to output method 212 as potential security vulnerability,since input method 220 generates object 214 from a user request 230 andoutput method 212 outputs a response 232 associated with the userrequest object 214.

RTA 218 uses input tag 216 and sanitization tag 218 to confirm propersecurity checks are performed on object 214. Any object 214 with aninput tag 216 and no corresponding sanitization tag 218 is identified asa vulnerability in report 222. As mentioned above, RTA 218 may assignmultiple sanitization tags 218 to object 214 for each different securitycheck. RTA 218 may determine if object 214 includes all of the propersanitization tags 218 associated with input tag 216. RTA 218 mayidentify a vulnerability when any of the multiple sanitization tags 218are missing.

In summary, RTA 218 identifies potential vulnerabilities in softwareapplication 210 by assigning an input tag 216 to object 214. RTA 218confirms proper security operations are performed by assigningassociated sanitization tags 218 to object 214. During output method212, RTA 218 then checks object 214 for any input tag 216 and associatedsanitization tags 218. RTA 218 identifies a vulnerability in report 222when object 214 includes input tag 218 but does not include the propersanitization tags 218. RTA 218 may consider an object 214 without aninput tag 216 as not potentially malicious, since the object 214 is notfrom a user request 230.

The tagging scheme in RTA 218 may operate during normal execution ofsoftware application 210 and therefore identify actual runtimevulnerabilities. RTA 218 assigns and checks input tags 216 andsanitization tags 218 based on identified input methods 220, securitymethods 221, and output methods 212. This allows RTA 218 to identifyvulnerabilities without having to access individual lines of source codein software application 210.

FIG. 3 shows an example process for detecting a software vulnerability.In operation 300A, the RTA may detect the software application calling auser input method. For example, the software application may receive arequest that includes a universal resource locator (URL) sent from auser web browser.

In operation 300B, the RTA may assign an input tag to the object fromthe input method. For example, the RTA may assign an input tagidentifying the object generally as a user input or more specifically asa user URL input.

In operation 300C, the RTA may identify one or more security methodscalled by the software application. For example, a security operationmay perform a database access check confirming the user hasauthorization to access the data requested by the object. In operation300D, the RTA may assign a sanitization tag to the object identifyingthe type of security check performed on the object.

In operation 300E, the RTA may detect the software application callingan output method. For example, the software application may call amethod that outputs data associated with the object to a web page,database, or file.

In operation 300F, the RTA compares any input tags assigned to theobject with any sanitization tags assigned to the object. For example,the RTA may first determine if the object includes an input tagindicating the object came from a user and is potentially malicious andmay be a security risk.

If an input tag exists, the RTA may determine if the object includes oneor more corresponding sanitization tags for security operationsperformed on the object. For example, if the output method outputs datafrom a database, the sanitization tag may indicate a database accesscheck was performed confirming the user has rights to access the datafrom the database.

In operation 300F, the RTA may determine there is no vulnerability whenno input tag is assigned to the object indicating the object is notassociated with a user request. The RTA also may determine there is novulnerability when the object includes an input tag and one or moreproper sanitization tags. This indicates the software applicationperformed the proper security checks on an potentially malicious object.

The RTA may identify an object with an assigned input tag and nosanitization tag. This may indicate a vulnerability since the softwareapplication did not perform any security check on the potentiallymalicious user input object. In operation 300G, the RTA may identify thevulnerability by logging the name and line number of the output method.

In operation 300F, the RTA may identify an object with an input tag anda sanitization tag. However, the sanitization tag may not be the propersanitization tag. This may indicate a vulnerability since the softwareapplication did not perform the proper security check on the objectprior to generating a response. In operation 300G, the RTA may identifya vulnerability by logging the name and line number of the outputmethod.

In one example, some or all of the operations described above areperformed during execution runtime while of the software application isreceiving user requests and generating associated responses. In anotherexample, some or all of the operations may be performed offline in atesting environment using test inputs.

FIG. 4 shows another example of runtime analysis framework (RTA) 218located in a software application 400. As mentioned above, softwareapplication 400 may perform any operation within any computer softwareenvironment. For example, software application 400 may be customerrelationship management (CRM) software or any other type of cloudcomputing software.

RTA 218 may identify all normal ingress and egress operations insoftware application 400, such as receiving request 428 from a webbrowser 430 operating on user system 12, accessing a database 422 orfile system 423, and writing/printing responses 426 back to a web page432 on a web browser 430. RTA 218 also may identify security checksperformed during software application 400. RTA 218 may identifyvulnerabilities in software application 400 based on the identifiedinputs, outputs, and security checks.

For example, a user of user system 12 may use web browser 430 to requestinformation regarding a sales lead 434. The user may send request 428for lead 434 to database system 16. An input method 418 in softwareapplication 400 may create a lead object 406 in response to lead request428. Lead object 406 may identify the user on user system 12 andidentify lead 434.

An RTA input rule 420 may include software added to software application400 that assigns input tag 410 to any object 406 created by input method418. For example, a hacker may have entered malware into request 428 andassociated object 406. In another example, a user may simply try to viewa record in database system 16 without proper authorization. Input rule420 may attach input tag 410 identifying lead object 406 as potentiallymalicious and then transfer operation back to input method 418.

One or more input rules 420 may exist within software application 400.Any input method 418 that receives an input or any other potentiallymalicious data may include an associated input rule 420. Each input rule420 may assign an input tag 410 that identifies the type of data withinobject 406. As mentioned above, request 428 may produce multiple objects406 that trigger multiple different input rules 420 to each assign inputtags 410 to one or more of the multiple objects 406. Again, forexplanation purposes only a single object 406 and input tag 410 areshown.

Lead object 406 may travel through different logical paths of softwareapplication 400. For example, software application 400 may call asecurity method 402 to perform a security check on lead object 406 priorto accessing database 422. Software application 400 then may call anoutput method 412 to output data from database 422 back to user system12.

One or more RTA sanitization rules 404 may include software added tosoftware application 400 that attach sanitization tags 408 to leadobject 406. For example as mentioned above, security method 402 mayperform a security check to confirm the user identified in lead object406 is authorized to access database 422. Sanitization rule 404 mayattach sanitization tag 408 to lead object 406 during security method402 and then return control back to security method 402.

One or more RTA output rules 414 may include software added to softwareapplication 400 that assign one or more output tags 415 to associatedoutput methods 412. For example, an output method 412 may output leaddata requested in lead object 406 to web page 432 on user system 12.

In one example, RTA 218 may store a list of defined vulnerabilities 416in memory. Defined vulnerabilities 416 may identify the appropriatesanitization tags for different input and output tags. Output rule 414may compare output tag 415, input tag 410, and sanitization tag 408 withdefined vulnerabilities 416.

Based on the comparison, RTA 218 may determine the code path of leadobject 406 through software application 400 is either vulnerable to asecurity attack or not vulnerable to a security attack. For example, RTA218 may identify a defined vulnerability 416 with an associated outputtag and input tag that match output tag 415 for output method 412 andinput tag 410 for lead object 406, respectively.

RTA 218 may identify a vulnerability when the sanitization tags in theidentified defined vulnerability 416 do not match sanitization tags 408assigned to lead object 406. RTA 218 then may identify the definedvulnerability 416, input method 418 and/or output method 412 as anactual vulnerability in report 424.

RTA 218 may determine the defined vulnerability 416 is not an actualvulnerability when the sanitization tags in defined vulnerability 416match sanitization tags 408 assigned to lead object 406. In other words,RTA 218 confirms software application 400 performed the proper securitycheck on lead object 406 prior to outputting the lead data back to usersystem 12.

RTA 218 may determine any object 406 with no input tag 410 is notpotentially malicious since the object did not come from a user inputrequest. RTA 218 may identify any object 406 with an input tag 410 butno sanitization tags 408 as potentially malicious since no securityoperations were performed on the user input request. RTA 218 then mayidentify the portion of software application 400 including output method412 as vulnerable to a security risk.

Some defined vulnerabilities 416 may include multiple differentsanitization tags 408. For example, a defined vulnerability 416 mayrequire multiple different security checks. RTA 218 may identify avulnerability when object 406 does not include each of the differentsanitization tags in defined vulnerability 416.

Software application 400 may write multiple different pieces of data toweb page 432. For example, the data may include a logo and text. Thelogo may come from a static file in file system 423 or database 422 andmay not be potentially malicious. RTA 218 may not attach an input tag410 to the logo. However, the text may include data from request 428that is potentially malicious.

RTA 218 may assign an input tag 410 to the object associated with thetext and may not assign an input tag 410 to the object associated withthe logo. RTA 218 then may confirm the text object includes anassociated sanitization tag. RTA 218 may not need to confirm the logoobject includes any associated sanitization tag since the logo objectdoes not include an input tag.

Input tags 410, sanitization tags 408, and output tags 415 arealternatively referred to as event tags, flags, events and may includeany other type of identifier. RTA 218 may assign the event tagsidentifying potential vulnerabilities to any method, object, or anyother operation or data within software application 400.

RTA 218 may more easily identify vulnerabilities for existing or newfunctions in software application 400. For example, RTA 218 may define anew potential vulnerability simply by adding a new rule to softwareapplication 400 that assigns a new input tag, sanitization tag, oroutput tag for the new method. RTA 218 then may add a new definedvulnerability 416 that includes the tags associated with the new method.

FIG. 5 shows rules used by RTA 218 in more detail. In one example,software application 400 receives a URL input 428 from the user system12 in FIG. 4. Software application 400 calls input method 418 to processURL input 428, such as getURLparameter( ). Input method 418 may createobject 406 for URL input 428.

Input rule 420 may comprise bytecode that automatically assigns inputtag 410 to object 406 when software application 400 calls input method418. Input tag 410 may be any type of user identifier added to object406. For example, input tag 410 may be series of bits or charactersadded to a data string for object 406. In one example, input tag 410 mayidentify the particular type of user input, such as a URL input.

Sanitization rule 404 may comprise bytecode that automatically assignssanitization tag 408 to object 406 when software application 400 callssecurity method 402. Sanitization tag 408 also may be another series ofbits or characters added to the data string of object 406. In oneexample, sanitization tag 216 may identify a particular type of securityoperation performed by security method 406, such as a security operationthat scrubs object 406 for JavaScript.

As mentioned above, software application 400 may perform multiplesecurity checks based on request 428. For example, software application400 may perform the scrub operation of security method 402. Softwareapplication 400 also may perform a database access check to determine ifthe user has authorization to access a requested database record. RTA218 may add multiple sanitization tags 408 identifying each securitycheck performed on object 406.

Output rule 414 may comprise bytecode that automatically assigns outputtag 415 when software application 400 calls output method 412. In oneexample, output tag 415 may identify a particular type of outputoperation performed by output method 212, such as a HttpOutput( ). Otheroutput rules 414 may attach output tags 415 that identify other types ofoutput methods, such as methods that write to files, databases, and/orweb pages.

FIG. 6 shows an example process for detecting a vulnerability insoftware application 400. As mentioned above, RTA 218 may store definedvulnerabilities 416 in memory that each includes an output tag 452, aninput tag 454, and sanitization tags 456.

In one example, defined vulnerability 416A may identify a cross sitescripting (XSS) vulnerability where a user input may include JavaScriptthat software application 400 could output to a web page. Definedvulnerability 416A may include an output tag 452A for an output methodthat prints an object to a web page, such as a HttpOutput( ) method.

Defined vulnerability 416A also may include an input tag 454A associatedwith the XSS vulnerability. For example, input tag 454A may identify anobject received from a user web page, such as an object generated by aURLInput( ) method. Defined vulnerability 416A also may include one ormore sanitization tags associated with the cross site scriptingvulnerability. For example, a sanitization tag 456A may identify asecurity method that scrubs objects for JavaScript.

Tagging output method 412 with output tag 415 may trigger RTA 218 toperform a vulnerability test. RTA 218 first may determine if output tag415 for output method 412 matches any defined output tags 452 fordefined vulnerabilities 416. RTA 218 may determine output method 412 hasno actual vulnerabilities when output tag 415 does not match any outputtags 452 in defined vulnerabilities 416.

Otherwise, RTA 218 may identify one or more defined vulnerabilities 416with matching output tags 452. In one example, output tag 415 may matchoutput tag 452A for defined vulnerability 416A. RTA 218 then comparesassigned input tag 410 for object 406 with input tag 454A in definedvulnerability 416A.

RTA 218 may disregard defined vulnerability 416A if object 406 does notinclude a matching input tag 454A. For example, assigned output tag 415may match defined output tag 452A, but assigned input tag 410 for object406 may not match defined input tag 454A. In another example, object 406may not have an input tag 410. For example, object 406 may not beassociated with a user input request. RTA 218 also may disregard definedvulnerability 416A since object 406 does not include a matching inputtag.

RTA 218 checks for matching sanitization tags when assigned output tag415 for output method 412 and assigned input tag 410 for object 406match defined output tag 452A and defined input tag 454A, respectively.For example, RTA 218 compares assigned sanitization tag 408 for object406 with sanitization tag 456A for defined vulnerability 416A.

Defined vulnerability 416A is not considered an actual vulnerabilitywhen security flags 408 and 456A match. This indicates softwareapplication 400 performed the proper security check prior to outputtingdata associated with object 406. However, defined vulnerability 416A isconsidered an actual vulnerability when object 406 does not have anassigned sanitization tag 408 or has an assigned sanitization tag 408that does not match sanitization tag 456A. No assigned sanitization tag408 may indicate software application 400 performed no security checkson object 406. A non-matching sanitization tag 408 may indicate softwareapplication 400 performed a security check, but not the proper securitycheck identified by sanitization tag 456A.

RTA 218 identifies an actual vulnerability 462 in report 460 whenassigned sanitization tag 408 does not match defined sanitization tag456A. For example, RTA 218 may identify an actual vulnerability 462 inreport 460 that includes a name 464, class name 466, and line number 468for output method 412.

RTA 218 may identify actual vulnerabilities 462 for any other objects inoutput method 412 or for any another objects in any other output methodsin software application 400. For example, RTA 218 may identify othermethods 412 with an output tag 415 and input tag 410 matchingcorresponding output and input tags in defined vulnerabilities 416, butwithout non-matching sanitization tags 456.

Multiple vulnerabilities may be associated with output method 412 andobject 406. For example, in addition to the XSS security check, softwareapplication 400 might need to perform a database access check to confirmthe user has authorization to view a particular requested databaserecord. A second defined vulnerability 416B may include a same ordifferent output tag 452B and input tag 454B as defined vulnerability416A, and may include a different sanitization tag 456B associated witha database access check.

RTA 218 may identify a second match between the same or other assignedtags 415 and 410 and defined tags 452B and 454B, respectively. RTA 218then may compare the assigned sanitization tags 406 for object 406 withdefined sanitization tag 456B. RTA 218 identifies output method 412 asan actual vulnerability in report 460 when no assigned sanitization tags408 for object 406 match defined sanitization tag 456B. Definedvulnerability 416B is disregarded when one of the assigned sanitizationtags 408 for object 406 matches defined sanitization tag 456B.

A Java compiler may convert source code for software application 400into bytecode. In one example, RTA 218 may be implemented in JavaScriptobject notation (JASON) code. A code generation tool converts the JASONfor RTA 218 into Java bytecode. At runtime the bytecode is convertedinto machine code by a just in time Java compiler.

Using bytecode allows RTA 218 to be integrated with bytecode forsoftware application 400 without having to access associated sourcecode. The bytecode may include a finite set of instructions more easilyidentified and tagged by the RTA rules. RTA 218 also may be implementedin any other languages, such as C++, basic, etc.

III. Hybrid Code Modification in Intermediate Language for SoftwareApplication

Software applications may include vulnerabilities or flaws that allowhackers to access data and/or perform actions without authorization.Analysis programs checking for security flaws by testing the softwareapplication source code may not be feasible due to the difficulty inaccessing source code. Even when source code is available, analysisprograms may further fail to test behaviors or states that may occurduring actual execution runtime of the source code. A runtime analysisframework (RTA) may embed runtime analysis rules inside a softwareapplication to detect security vulnerabilities without accessing sourcecode, and without manually testing every logical flaw through thesoftware application.

A hybrid code modification scheme may embed runtime analysis rules intosoftware applications to detect security vulnerabilities while avoidingto access source code. The hybrid code modification scheme may comprisetwo stages: code modification for a portion of a programming languageplatform at a first time, e.g., post-compile time, and code modificationof the software application at a second time, e.g., runtime.

The code modification of a portion of a programming language platformmay modify, e.g., add new functionality to, change, or remove existingfunctionality from, the programming language platform that multiplesoftware applications can use to reduce code modification complexity.The modification of the software application at runtime may use the newadded or changed functionality of the programming language platform.

FIG. 7A shows an example runtime analysis framework (RTA) 218 operatingin a software application 210, similar to the RTA 218 shown in FIG. 2.In one example, the software application 210 may operate within adatabase system 16, receive a user request 230 from a user system 12 andprovide a corresponding response 232 back to the user system 12. Aninput method 220 within the software application 210 may create one ormore objects 214 from the request 230. Software application 210 maypreform multiple different operations on the object 214 pursuant to therequest 230. For example, the software application 210 may accessdifferent files in a file system 242, access data in a database 240,and/or access data in memory for information associated with the request230.

Software application 210 also may perform different security checksbased on request 230. For example, security method 221 may perform anaccess check to determine if the user is authorized to view therequested information. Another security method 221 may scrub request 230of malicious input such as cross-scripting attempts.

Software application 210 may eventually call an output method 212 thatgenerates a response 232 to the request 230. For example, an outputmethod 212 may send a hypertext transfer protocol (HTTP) response to theuser system 12 for displaying on a web page. The response 232 mayinclude data from the object 214, data from the database 240, and/orfiles from the file system 242 requested in the object 214. Other outputmethods 212 may store data from object 214 in database 240 or filesystem 242.

RTA 218 may identify potential vulnerabilities in software application210 by assigning an input tag 216 to object 214. RTA 218 confirms propersecurity operations are performed by assigning associated sanitizationtags 228 to object 214. During output method 212, RTA 218 checks object214 for any input tag 216 and associated sanitization tags 228. RTA 218may identify a vulnerability in report 222 when object 214 includesinput tag 218 but does not include the proper sanitization tags 218. RTA218 may consider an object 214 without an input tag 216 as notpotentially malicious, since the object 214 is not from a user request230.

The tagging scheme in RTA 218 may operate during normal execution ofsoftware application 210 and therefore identify actual runtimevulnerabilities. RTA 218 assigns and checks input tags 216 andsanitization tags 218 based on identified input methods 220, securitymethods 221, and output methods 212. Tagging scheme in RTA 218 duringnormal execution of software application 210 may allow RTA 218 toidentify vulnerabilities without having to access individual lines ofsource code in software application 210.

RTA 218 and software application 210 may operate on a programminglanguage platform 260. The programming language platform 260 may includea suite of programs that facilitate developing and running programswritten in the programming language. For example, the programminglanguage platform 260 may be one of a plurality of programming languageplatforms, such as Java platform. C# and .NET platform, PHP/PERL/PYTHON(LAMP) platform, or C++ (QT/BOOST/WT/C++ Ox) platform. For eachplatform, there may be a plurality of variations. In one example, theprogramming language platform 260 may be Java platform Micro Edition(ME), Standard Edition (Java SE), or Enterprise Edition (EE). Theprogramming language platform 260 may be different for different classesof devices and applications. There may be multiple software applications210 running on multiple programming language platforms 260 at the sametime within the database system 16, as shown in FIG. 7A.

FIG. 7B shows more details of the software application 210 running onthe programming language platform 260. The programming language platform260 may include a compiler, a set of libraries, and an execution engine262, such as a virtual machine. The programming language platform 260may be running on a hardware platform 270 which may include an operatingsystem 271 and a hardware 273. For example, the hardware platform 270may include Microsoft Windows, Linux, Solaris OS, and Mac OS, running ona hardware 273. There may be a plurality of choices for the hardware273. For example, the hardware 273 may be the processor system 17 ofFIG. 1A.

The software application 210 running on the programming languageplatform 260 may be provided in source code 211 written in a high-levelprogramming language. A high-level programming language code may be aprogram similar to, although simpler than, natural language. A programwritten in a high-level language, e.g., source code 211, may not rundirectly on the hardware 273 without first being translated into machinelanguage. For example, the source code 211 may be translated into amachine language code 275, where the machine language code 275 maycomprise instructions executable directly by the hardware 273.

The translation from the source code 211 to the machine language code275 may be done by a compiler. A compiler may take a high-level-languageprogram, e.g., the source code 211, and translate it into an executablemachine-language program, e.g., the machine language code 275.Additionally and alternatively, the source code 211 may be translated byan interpreter into an executable machine-language program, e.g., themachine language code 275. The interpreter may translate the source code211 instruction-by-instruction. Furthermore, the source code 211 may betranslated by a combination of the two forms of a compiler and aninterpreter. For example, when the source code 211 is in Java language,the source code 211 may be translated or converted into the machinelanguage code 275 by a combination of a compiler and an interpreter.

In examples, the source code 211 may be directly translated into itstarget machine language code 275. Additionally and alternatively, thesource code 211 may be translated into a code in an intermediatelanguage, e.g., an intermediate language code 261. Code in anintermediate language, sometime called intermediate code, can berepresented in a variety of ways with different benefits.

High-level intermediate language code may be close to the source codeitself, e.g., the source code 211, while low level intermediate languagecode may be close to the target machine language code, e.g., the machinelanguage code 275, which may be suitable for register and memoryallocation, and instruction set selection. An intermediate language code261 may be either language specific (e.g., bytecode for Java) orlanguage independent (e.g., three-address code).

In one example, the programming language platform 260 may use Javatechnology. For example, a Java platform 260 may have two components:the Java Virtual Machine (JVM) corresponding to the execution engine262, and the Java Application Programming Interface (API) which is notshown in FIG. 7B. The API may be a collection of ready-made softwarecomponents that provide useful capabilities. The API may be grouped intolibraries of related classes and interfaces; these libraries may bereferred to as packages.

Source code 211 in Java programming language may be written in plaintext files ending with the .java extension. Those source code files maythen be compiled into .class files by the javac compiler. A .class filemay contain bytecodes 261, an intermediate language code for theexecution engine, e.g., JVM 262. The bytecodes may operate independentlyof hardware 273 and an operating system 271 operating on the hardware273.

The system shown in FIG. 7B may be just one example. Softwareapplication 210 may operate on any hardware or software environment thatperforms any operation. For example, software application 210 mayoperate within any cloud based environment or may operate within alocalized software environment within a laptop computer, tablet, smartphone, personal computer (PC), or the like, or any combination thereof.

RTA 218 in FIG. 7B may identify potential vulnerabilities in thesoftware application 210 by assigning input tags, associatedsanitization tags, and further identifying vulnerabilities based on theinput tags and sanitization tags as described above. The assignments ofinput tags and associated sanitization tags, and the identification ofvulnerabilities in software application 210 may be facilitated bymodifying code in software application 210 and modifying code inprogramming language platform 260.

FIG. 8A shows an example hybrid code modification scheme 800, andanother example hybrid code modification scheme 810 applied to Javaprogramming language platform and a software application. In oneexample, hybrid code modification scheme 810 is used to add securityvulnerability detection to the software application.

Operation 800A of the hybrid code modification scheme 800 may alter afunctionality of or add a new functionality by modifying a portion ofthe programming language platform in an intermediate language. Forexample, the portion of the programming platform 260 may be an executionengine 262 as shown in FIG. 7B, and the intermediate language may bebytecode. The bytecode may operate on different hardware platformsindependent of hardware and an operating system operating on thehardware. Operation 800A may modify the execution engine 262 at a firsttime, when the execution engine is converted from source code into theintermediate language. In some examples, conversion of the executionengine 262 source code into the intermediate language code may beperformed by a compiler, an interpreter, or a combination of a compilerand an interpreter.

Operation 800B of the hybrid code modification scheme 800 may modify thesoftware application in the intermediate language at a second timedifferent from the first time. The software application may be modifiedto include a runtime analysis rule that uses the altered or added newfunctionality in the programming language platform. For example, thesoftware application 210 shown in FIGS. 7A and 7B may operate in adatabase system 16, receive a request 230 from a user system 12, andgenerate a hypertext transfer protocol (HTTP) response 232 to thereceived request 230. Operation 800B may modify the software application210 based on a runtime analysis rule in RTA 218, to assign an input tag216 or a sanitization tag 228 to an object 214. Operation 800B maymodify the software application 210 at runtime, which is different fromthe time when the execution engine 262 is converted from source codeinto intermediate language code at operation 800A.

Operation 800C of the hybrid code modification scheme 800 may executethe modified software application on the modified programming languageplatform. In one example, the modified portion of the programminglanguage platform may be provided in a first package, and the modifiedsoftware application may be provided in a second package different fromthe first package.

In one example, the hybrid code modification scheme may insert code intothe programming language platform and/or the software application, thatdetects security vulnerabilities. Additionally and alternatively, thehybrid code modification scheme may delete or change code, instead ofinserting code, in the programming language platform and/or the softwareapplication.

FIG. 8A shows another example hybrid code modification scheme 810applied to Java programming language platform and a softwareapplication. Operation 810A may insert a string tracking function into ajava.lang.String object 268 for a JVM 266 of Java programming platform264 after JVM 266 is converted from source code into bytecode. Otherfunctions such as a stream tracking function, or an array trackingfunction, not shown, or others, may be inserted into the JVM 266 aswell. Furthermore, the insertion of string tracking function into ajava.lang.String is only for example purpose, and not limiting. Inembodiments, RTA is not limited to strings, streams, arrays, and anyobject type can be tracked.

Operation 810B may insert second code into the software application 214that causes software application 214 to use the new functionality addedto the programming language platform 264. In one example, operation 810Bmay insert bytecode into software application 214 based on the runtimeanalysis rules described above. For example, operation 810B may insertinput tag 410 to an object 406 based on input rule 420, and/or insertsanitization tag 408 to an object 406 based on sanitization rule 404.

In one example, input tag 410 and/or sanitization tag 408 may be encodedas a string, e.g., a string 001100. The encoded string may be 64 bitslong, where each of the 64 bits has a binary value 0 and 1, representingan object or an event. For example, the first bit, at position 0 of the64 bits, may represent a page displaying the object 214, the second bitat position 1 of the 64 bits may represent the Hypertext TransferProtocol (http) protocol, the third bit at position 2 of the 64 bits mayrepresent a Uniform Resource Locator (URL) address of the page. Theremay be many different ways to encode a tag into a string.

Operation 810C may execute the modified software application on themodified programming language platform. In one example, the modifiedportion of the programming language platform may be provided in a firstpackage, and the modified software application may be provided in asecond package different from the first package. For example, theexisting java.lang.String class may be provided in an rt.jar, whichcontains JVM 266. The hybrid code modification scheme 810 may modify theexisting javalang.String class to add the string tracking function tothe javalang.String object. The modified rt.jar may be the first packageand may replace the standard Java rt.jar during application execution.Operation 810C may compare a first string, a string 001100 of input tag410, to a second string, a string 001100 of sanitization tag 408, usingthe string tracking function of the java.lang.String object to detectsecurity vulnerabilities.

FIG. 8B shows more details of an example operation 800B in FIG. 8A,where code is inserted or added to the software application. Operation801 may start a software application, such as the software application210 in FIG. 7B. Operation 803 may load a class of the softwareapplication, into the execution engine 262 as shown in FIG. 7B.Operation 805 may intercept the class loading.

Operation 807 may add bytecode to each method of the loaded class basedon a runtime analysis rule. For example, operation 807 may either add anevent tag or check for an event tag, where the event tag may be theinput tag 216 or the sanitization tag 228 of the software application210 as shown in FIG. 7A. As mentioned above, event tag checking may usea new string comparison tracking function added to the programminglanguage platform 260.

After one class is loaded and the additional code is inserted intomethods of the loaded class, operation 800B continues to load anotherclass of the software application. This sequence of operations isrepeated until all of the classes of the software application are loadedand code inserted into each class. In some examples, the loading of theclasses may be done at one time so that all classes of the softwareapplication are loaded before the software application runs. In someother examples, the loading of the classes may be done when needed, orat various different times depending on the nature of the classes. Forexample, in a software application written in Java, Java privilegedclasses may be loaded first, and then the software application bootstrapclasses may be loaded. Furthermore, specific class for the softwareapplication may be loaded when the class is needed.

FIG. 8C shows the operations of modifying code of a softwareapplication, such as the software application 210 or the programmingplatform 260 performed by a code weaving system 811. In general, a codeweaving system 811 may be referred to as a metaprogram, which may be acomputer program with the ability to treat other programs as its data.For example, the code weaving system 811 may be designed to read,generate, analyze, or transform other programs, such as the softwareapplication 210 or the programming platform 260.

In one example, the code weaving system 811 may be an aspect weaver,which is a metaprogramming utility for aspect-oriented languagesdesigned to take instructions specified by aspects (isolatedrepresentations of a significant concepts in a program) and generatefinal implementation code. The code weaving system 811 may integrate theaspects into locations specified by the software as a pre-compilationstep, post-compilation step, or at runtime. By merging aspects andclasses, the code weaving system 811 may generate a woven class. In oneexample, the aspects may be runtime analysis rules 218 for detectingsecurity vulnerabilities of the software application 210, as shown inFIGS. 7A and 7B.

In one example, source code 263 for a portion of a programming languageplatform, such as JVM, may be converted into intermediate language code265. Conversion of the source code 263 to the intermediate language code265 may be performed by a compiler, an interpreter, or a combination ofboth. After the conversion, the code weaving system 811 may add a newfunctionality 816 into the intermediate language code 265 to create afirst package 823. The first package may be a woven programming languageplatform, such as, woven JVM. In one example, the new functionality 816may be a string tracking function.

Source code 213 of software application 210 may be converted into codein an intermediate language 215. The code weaving system 811 may modifythe code in the intermediate language 215 based on runtime analysisrules 218 to create a second package 827, which may be the wovensoftware application. The second package 827 may be created in runtimeof the software application 210. Furthermore, the second package 827 maybe executed on the first package 823 operating on a hardware platform270 including an operating system 271 and a hardware 273.

In one example, the operations shown in FIG. 8C may modify the softwareapplication 210 in database system 16 shown in FIG. 7A. In one example,the operations may modify a functionality or add a new functionality toa programming language platform in intermediate language bytecode 265,as shown in operation 811 of FIG. 8C.

The operations shown in FIG. 8C may also modify the software application210 after the software application 210 receives a request 230 from auser system 12 as shown in FIG. 7A. The software application 210 may bemodified based on a runtime analysis rule 218 that uses the altered oradded functionality of the programming language platform, and based onthe received request. In addition, the operations shown in FIG. 8C mayexecute the woven software application 827 on the woven programminglanguage platform 823, to generate a hypertext transfer protocol (HTTP)response 232, to the received request 230.

A computer program for a hybrid code modification scheme in anintermediate language may be a computer program comprising a set ofinstructions operable to: modify a portion of the programming languageplatform in the intermediate language at a first time to alter afunctionality of or add a new functionality to the programming languageplatform; and modify the software application in the intermediatelanguage at a second time different from the first time, wherein thesoftware application may be modified based on a runtime analysis rulethat uses the altered or added new functionality of the programminglanguage platform. The computer program may further comprise a set ofinstructions operable to execute the modified software application onthe modified programming language platform.

The computer program for a hybrid code modification scheme in anintermediate language can be applied to a runtime analysis framework(RTA) to embed runtime analysis rules inside a software application todetect security vulnerabilities. The software application may operate ina database system that receives a request from a user system andgenerates a hypertext transfer protocol (HTTP) response to the receivedrequest. The RTA may embed a runtime analysis rule by assigning an inputtag or a sanitization tag to an object in the software application, todetect potential security vulnerabilities. Such runtime analysis rulesmay be embedded based on hybrid code modification in an intermediatelanguage. Furthermore, the computer program for hybrid code modificationin an intermediate languagein may be applied to other softwareapplications as well besides for detecting security vulnerabilitiesbased on runtime analysis rules.

In one example, the first package including the modified portion of theprogramming language platform and the second package including themodified software application may be created by a system including aprocessor and a memory. The memory may store one or more sequences ofinstructions which, when executed by the processor, cause the processorto create the first package of code by modifying a portion of aprogramming language platform in the intermediate language at a firsttime to alter a functionality of or add a new functionality to theprogramming language platform. The one or more sequences of instructionsmay also cause the processor to create the second package of code bymodifying the software application in the intermediate language at asecond time different from the first time, wherein the softwareapplication is modified based on a runtime analysis rule that uses thealtered or added new functionality of the programming language platform.

The specific details of the specific aspects of implementationsdisclosed herein may be combined in any suitable manner withoutdeparting from the spirit and scope of the disclosed implementations.However, other implementations may be directed to specificimplementations relating to each individual aspect, or specificcombinations of these individual aspects. Additionally, while thedisclosed examples are often described herein with reference to animplementation in which an on-demand database service environment isimplemented in a system having an application server providing a frontend for an on-demand database service capable of supporting multipletenants, the present implementations are not limited to multi-tenantdatabases or deployment on application servers. Implementations may bepracticed using other database architectures, i.e., ORACLE®, DB2® by IBMand the like without departing from the scope of the implementationsclaimed.

It should also be understood that some of the disclosed implementationscan be embodied in the form of various types of hardware, software,firmware, or combinations thereof, including in the form of controllogic, and using such hardware or software in a modular or integratedmanner. Other ways or methods are possible using hardware and acombination of hardware and software. Additionally, any of the softwarecomponents or functions described in this application can be implementedas software code to be executed by one or more processors using anysuitable computer language such as, for example, Java, C++ or Perlusing, for example, existing or object-oriented techniques. The softwarecode can be stored as a computer- or processor-executable instructionsor commands on a physical non-transitory computer-readable medium.Examples of suitable media include random access memory (RAM), read onlymemory (ROM), magnetic media such as a hard-drive or a floppy disk, oran optical medium such as a compact disk (CD) or DVD (digital versatiledisk), flash memory, and the like, or any combination of such storage ortransmission devices. Computer-readable media encoded with thesoftware/program code may be packaged with a compatible device orprovided separately from other devices (for example, via Internetdownload). Any such computer-readable medium may reside on or within asingle computing device or an entire computer system, and may be amongother computer-readable media within a system or network. A computersystem, or other computing device, may include a monitor, printer, orother suitable display for providing any of the results mentioned hereinto a user.

While some implementations have been described herein, it should beunderstood that they have been presented by way of example only, and notlimitation. Thus, the breadth and scope of the present applicationshould not be limited by any of the implementations described herein,but should be defined only in accordance with the following andlater-submitted claims and their equivalents.

What is claimed is:
 1. A computer program product comprising anon-transitory computer-readable medium containing an executable set ofinstructions for code modification of a programming language platformand a software application in a bytecode language, the set ofinstructions configured to: modify an execution engine of theprogramming language platform in the bytecode language when theexecution engine is converted from source code into code in the bytecodelanguage to alter a functionality of or add a new functionality to theprogramming language platform, wherein the modification of the executionengine is performed by at least one of a compiler and an interpreter;modify the software application in the bytecode language at runtime ofthe software application, wherein the software application is modifiedto include a runtime analysis rule that uses the altered or added newfunctionality of the programming language platform, wherein the softwareapplication is modified by; i) after startup of the softwareapplication, loading a class of the software application into theexecution engine; ii) inserting a first bytecode to methods of theloaded class based on the runtime analysis rule that uses the newfunctionality of the programming language platform; iii) after the classis loaded and the first bytecode is inserted into the methods of theloaded class, loading another class of the software application andrepeating processes i)-iii) until all the classes of the softwareapplication are loaded and the first bytecode inserted into the classes;and execute the modified software application on the modified executionengine.
 2. The computer program product of claim 1, wherein theprogramming language platform is Java programming platform.
 3. Thecomputer program product of claim 2, wherein the execution engine of theprogramming language platform is a Java Virtual Machine (JVM).
 4. Thecomputer program product of claim 1, wherein the bytecode languageoperates on different hardware platforms independent of hardware and anoperating system on the hardware.
 5. The computer program product ofclaim 1, wherein the software application operates in a database systemand receives requests from a user system.
 6. The computer programproduct of claim 1, wherein the software application generates ahypertext transfer protocol (HTTP) response to a request received from auser system.
 7. The computer program product of claim 1, wherein theruntime analysis rule assigns an input tag or a sanitization tag to anobject in the software application.
 8. The computer program product ofclaim 1, wherein the modified execution engine of the programminglanguage platform is included in a first software package, and themodified software application is included in a second software packagedifferent from the first software package.
 9. The computer programproduct of claim 1, wherein the set of instructions operable to modifythe execution engine of the programming language platform is to insertfirst code in the bytecode language into the execution engine of theprogramming language platform to add the new functionality, the set ofinstructions operable to modify the software application is to insertsecond code to the software application, wherein the modified softwareapplication uses the added new functionality of the programming languageplatform.
 10. The computer program product of claim 1, wherein thealtered or the added new functionality is a string tracking function, astream tracking function, or an array tracking function.
 11. A systemfor code modification in a bytecode language, comprising: a hardwareprocessor; and memory storing one or more sequences of instructionswhich, when executed by the processor, cause the processor to carry outthe steps of: modifying an execution engine of a programming languageplatform in the bytecode language when the execution engine is convertedfrom source code into code in the bytecode language to alter afunctionality of or add a new functionality to the programming languageplatform, wherein the modification of the execution engine is performedby at least one of a compiler and an interpreter; and modifying asoftware application in the bytecode language at runtime of the softwareapplication, wherein the software application is modified to include aruntime analysis rule that uses the altered or the added newfunctionality of the programming language platform, wherein the softwareapplication is modified by; i) after startup of the softwareapplication, loading a class of the software application into theexecution engine; ii) inserting a first bytecode to methods of theloaded class based on the runtime analysis rule that uses the newfunctionality of the programming language platform; iii) after the classis loaded and the first bytecode is inserted into the methods of theloaded class, loading another class of the software application andrepeating processes i)-iii) until all the classes of the softwareapplication are loaded and the first bytecode inserted into the classes.12. The system of claim 11, wherein the instructions further cause theprocessor to carry out the steps of: creating a first package of codethat includes the modified execution engine of the programming languageplatform; creating a second package of code that includes the modifiedsoftware application; and executing the second package of code on thefirst package of code.
 13. The system of claim 11, wherein theprogramming language platform is Java programming platform, theexecution engine of the programming language platform is a Java VirtualMachine (JVM).
 14. The system of claim 11, wherein the bytecode languageoperates on different hardware platforms independent of hardware and anoperating system operating on the hardware.
 15. The system of claim 11,wherein the software application operates in a database system, receivesa request from a user system, and generates a hypertext transferprotocol (HTTP) response to the received request.
 16. The system ofclaim 11, wherein the runtime analysis rule assigns an input tag or asanitization tag to an object in the software application.
 17. Thesystem of claim 11, wherein modifying the execution engine of theprogramming language platform in the bytecode language is to insertfirst code in the bytecode language to the execution engine of theprogramming language platform to add the new functionality, andmodifying the software application in the bytecode language is to insertsecond code to the software application, wherein the modified softwareapplication uses the added new functionality of the programming languageplatform.
 18. The system of claim 17, wherein the new functionality inthe programming language platform is a string tracking function, astream tracking function, or an array tracking function.
 19. A methodfor code modification in a bytecode language for a software applicationin a database system, comprising: adding a new functionality to anexecution engine of a programming language platform after the executionengine is converted from source code into code in the bytecode language,wherein the new functionality is a string tracking function, a streamtracking function, or an array tracking function, wherein themodification of the execution engine by the adding is performed by atleast one of a compiler and an interpreter; modifying a softwareapplication after the software application receives a request from auser system, wherein the software application is modified to include aruntime analysis rule that uses the added functionality of theprogramming language platform, wherein the software application ismodified by; i) after startup of the software application, loading aclass of the software application into the execution engine; ii)inserting a first bytecode to methods of the loaded class based on theruntime analysis rule that uses the new functionality of the programminglanguage platform; iii) after the class is loaded and the first bytecodeis inserted into the methods of the loaded class, loading another classof the software application and repeating processes i)-iii) until allthe classes of the software application are loaded and the firstbytecode inserted into the classes; and executing the modified softwareapplication on the modified execution engine with the new functionalityto generate a hypertext transfer protocol (HTTP) response to thereceived request.
 20. The method of claim 19, wherein the programminglanguage platform is Java programming platform, the execution engine ofthe programming language platform is a Java Virtual Machine (JVM). 21.The method of claim 19, wherein the bytecode language operates ondifferent hardware platforms independent of hardware and an operatingsystem operating on the hardware.
 22. The method of claim 19, whereinthe runtime analysis rule assigns an input tag or a sanitization tag toa method of an object in the software application.